New data privacy requirements in California’s recently enacted ballot initiative are likely to fuel additional litigation in the state, where attorneys were already testing the limits of a sweeping 2018 law.
The California Privacy Rights Act that the state’s voters approved earlier this month added more provisions, including enhanced penalties for violations involving children’s data and a new category for sensitive personal information. It also added email and password combinations to the narrow private right of action for breaches.
Lawyers have already been testing the limits of consumers’ ability to sue since the 2018 law, the California Consumer Privacy Act, took effect Jan. 1, filing dozens of lawsuits alleging not only harms from data breaches, but other CCPA violations as well. Drug rehabilitation centers, hotels, and medical devices manufacturers, as well as companies such as
Publicity surrounding the ballot measure could spur additional lawsuits, said Brandon Reilly, a privacy and data security partner at Manatt, Phelps & Phillips LLP in Costa Mesa, California. The added provisions could expand the “surface area” for alleged noncompliance and drive a greater number of class actions alleging privacy violations once the new law takes effect, he said.
“There’s going to be a lot more that enterprising attorneys can try to grab onto,” Reilly said.
It’s too early to tell how successful such strategies ultimately will be given the limited private right of action, but companies will have to contend with a slew of lawsuits in the meantime.
“Until you have an appellate decision that clearly defines the scope of the private right of action, you will continue to see class action claims under the CCPA alleging these non-breach violations,” said Ashley Shively, a partner at Holland & Knight LLP in San Francisco who specializes in privacy and class action litigation.
Several plaintiff’s attorneys did not immediately respond to requests for comment.
The CCPA mandated a raft of new data handling requirements on companies, and gave consumers the right to sue them for data breaches resulting from poor security practices.
The private right of action is limited to violations involving consumers’ nonencrypted and nonredacted personal information that undergoes “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”
Two main types of lawsuits have emerged since the CCPA went into effect, Reilly said. The first look similar to classic data breach class actions, Reilly said, but add the CCPA’s private right of action and seek damages under that statute.
The second type involve non-breach causes of action, such as violations of the law’s right to opt out of sales of one’s data or the right to request it be deleted, Reilly said. Those suits often also allege that noncompliance constitutes a violation of California’s Unfair Competition Law.
One lawsuit from May against social media giant TikTok, for example, alleged the company violated the CCPA by collecting and using customers’ biometric information without notifying them.
Some attorneys have argued noncompliance or the heightened risk of breach exposure due to poor security practices give consumers the right to sue under the CCPA even if there’s no data breach, said Usama Kahf, a partner at Fisher Phillips LLP in Irvine, California who specializes in workplace privacy and data security.
The lawyers argue that the use of consumer data in a way the person wasn’t aware of constitutes “unauthorized access.”
Not Going Away
The flow of class action litigation with non-breach claims is likely to continue until an appeals court clearly defines the scope of the private right of action or until the California Attorney General Xavier Becerra (D) issues additional regulations for complying with the CCPA, lawyers say.
“We so far don’t have a clear judicial rebuke of that strategy,” Reilly said. “There’s no hallmark opinion yet that will be cited and then used to dismiss those types of claims.”
Many CCPA lawsuits are still in early stages. One proposed class action involving
An appellate decision on the private right of action “could be a while” given the lengthy process for class action litigation and the fact that the CCPA only went into effect at the beginning of the year, Shively said.
“This is still an area with a lot of uncertainty,” she said. “Everybody who is counseling businesses on the CCPA is watching to see how these cases play out in the courts.”
Companies should remain vigilant for litigation even with a narrow private right of action because certified class actions could carry hefty fines.
“Make sure your privacy notice and disclosures are clear and accurate,” said Purvi Patel, a privacy and class action partner at Morrison & Foerster LLP in Los Angeles. “Track as closely as practicable the specific delineations of the law.”
Businesses should prepare incident response protocol and beef up their security systems, Reilly said.
Companies should also work to ensure compliance with data collection and retention requirements as they manage the “moving target” of the coronavirus pandemic alongside new regulatory hurdles, said Meredith Slawe, co-chair of Cozen O’Connor’s class actions practice in Philadelphia.
“Some lawyers have moved to monetize the law,” Slawe said. “We expect to see more litigation, and that needs to be appropriately reined in.”